From 91fadbca17ac7e79bc60684c9f4d64c3892398e1 Mon Sep 17 00:00:00 2001
From: Robert Griesemer <gri@golang.org>
Date: Mon, 15 Aug 2011 15:15:54 -0700
Subject: [PATCH] godoc: fix escaping in templates

- HTML-escape URL paths
- URL-escape URL parameters

R=bradfitz
CC=golang-dev
https://golang.org/cl/4890041
---
 lib/godoc/codewalkdir.html |  7 ++++---
 lib/godoc/dirlist.html     |  3 ++-
 lib/godoc/search.html      | 25 +++++++++++++------------
 src/cmd/godoc/godoc.go     |  2 +-
 4 files changed, 20 insertions(+), 17 deletions(-)

diff --git a/lib/godoc/codewalkdir.html b/lib/godoc/codewalkdir.html
index 6fe1a0565a..2d81d9cc4d 100644
--- a/lib/godoc/codewalkdir.html
+++ b/lib/godoc/codewalkdir.html
@@ -7,9 +7,10 @@
 <table class="layout">
 {{range .}}
 <tr>
-    <td><a href="{{html .Name}}">{{html .Name}}</a></td>
-    <td width="25">&nbsp;</td>
-    <td>{{html .Title}}</td>
+	{{$name := html .Name}}
+	<td><a href="{{$name}}">{{$name}}</a></td>
+	<td width="25">&nbsp;</td>
+	<td>{{html .Title}}</td>
 </tr>
 {{end}}
 </table>
diff --git a/lib/godoc/dirlist.html b/lib/godoc/dirlist.html
index 422397e522..841e474e21 100644
--- a/lib/godoc/dirlist.html
+++ b/lib/godoc/dirlist.html
@@ -18,7 +18,8 @@
 </tr>
 {{range .}}
 <tr>
-	<td align="left"><a href="{{.|fileInfoName|html}}">{{.|fileInfoName|html}}</a></td>
+	{{$name := .|fileInfoName|html}}
+	<td align="left"><a href="{{$name}}">{{$name}}</a></td>
 	<td></td>
 	<td align="right">{{html .Size}}</td>
 	<td></td>
diff --git a/lib/godoc/search.html b/lib/godoc/search.html
index 946160cf53..776becda2e 100644
--- a/lib/godoc/search.html
+++ b/lib/godoc/search.html
@@ -3,6 +3,7 @@
 	Use of this source code is governed by a BSD-style
 	license that can be found in the LICENSE file.
 -->
+{{$query := urlquery .Query}}
 {{with .Alert}}
 	<p>
 	<span class="alert" style="font-size:120%">{{html .}}</span>
@@ -20,13 +21,13 @@
 	{{with .Decls}}
 		<h2 id="Global">Package-level declarations</h2>
 		{{range .}}
-			{{$pkg := pkgLink .Pak.Path}}
-			<h3 id="Global_{{html $pkg}}">package <a href="/{{$pkg}}">{{html .Pak.Name}}</a></h3>
+			{{$pkg := pkgLink .Pak.Path | html}}
+			<h3 id="Global_{{$pkg}}">package <a href="/{{$pkg}}">{{html .Pak.Name}}</a></h3>
 			{{range .Files}}
-				{{$src := srcLink .File.Path}}
+				{{$src := srcLink .File.Path | html}}
 				{{range .Groups}}
 					{{range .Infos}}
-						<a href="/{{$src}}?h={{urlquery $.Query}}#L{{infoLine .}}">{{html $src}}:{{infoLine .}}</a>
+						<a href="/{{$src}}?h={{$query}}#L{{infoLine .}}">{{$src}}:{{infoLine .}}</a>
 						{{infoSnippet_html .}}
 					{{end}}
 				{{end}}
@@ -36,11 +37,11 @@
 	{{with .Others}}
 		<h2 id="Local">Local declarations and uses</h2>
 		{{range .}}
-			{{$pkg := pkgLink .Pak.Path}}
-			<h3 id="Local_{{html $pkg}}">package <a href="/{{$pkg}}">{{html .Pak.Name}}</a></h3>
+			{{$pkg := pkgLink .Pak.Path | html}}
+			<h3 id="Local_{{$pkg}}">package <a href="/{{$pkg}}">{{html .Pak.Name}}</a></h3>
 			{{range .Files}}
-				{{$src := srcLink .File.Path}}
-				<a href="/{{$src}}?h={{urlquery $.Query}}">{{html $src}}</a>
+				{{$src := srcLink .File.Path | html}}
+				<a href="/{{$src}}?h={{$query}}">{{$src}}</a>
 				<table class="layout">
 				{{range .Groups}}
 					<tr>
@@ -49,7 +50,7 @@
 					<td align="left" width="4"></td>
 					<td>
 					{{range .Infos}}
-						<a href="/{{$src}}?h={{urlquery $.Query}}#L{{infoLine .}}">{{infoLine .}}</a>
+						<a href="/{{$src}}?h={{$query}}#L{{infoLine .}}">{{infoLine .}}</a>
 					{{end}}
 					</td>
 					</tr>
@@ -71,17 +72,17 @@
 	<p>
 	<table class="layout">
 	{{range .}}
-		{{$src := srcLink .Filename}}
+		{{$src := srcLink .Filename | html}}
 		<tr>
 		<td align="left" valign="top">
-		<a href="/{{$src}}?h={{urlquery $.Query}}">{{html $src}}</a>:
+		<a href="/{{$src}}?h={{$query}}">{{$src}}</a>:
 		</td>
 		<td align="left" width="4"></td>
 		<th align="left" valign="top">{{len .Lines}}</th>
 		<td align="left" width="4"></td>
 		<td align="left">
 		{{range .Lines}}
-			<a href="/{{$src}}?h={{urlquery $.Query}}#L{{.}}">{{html .}}</a>
+			<a href="/{{$src}}?h={{$query}}#L{{html .}}">{{html .}}</a>
 		{{end}}
 		{{if not $.Complete}}
 			...
diff --git a/src/cmd/godoc/godoc.go b/src/cmd/godoc/godoc.go
index 98fdc19d04..e3f8ad8d36 100644
--- a/src/cmd/godoc/godoc.go
+++ b/src/cmd/godoc/godoc.go
@@ -481,7 +481,7 @@ func posLink_urlFunc(node ast.Node, fset *token.FileSet) string {
 	}
 
 	var buf bytes.Buffer
-	buf.WriteString(http.URLEscape(relpath))
+	template.HTMLEscape(&buf, []byte(relpath))
 	// selection ranges are of form "s=low:high"
 	if low < high {
 		fmt.Fprintf(&buf, "?s=%d:%d", low, high) // no need for URL escaping
-- 
2.48.1